One of the world’s most controversial private spying companies, now the target of a criminal investigation in Greece and a European parliamentary inquiry, is headquartered in Ireland where it mirrors the tax structures used by tech multinationals, The Currency can reveal.

Irish filings for Thalestris Limited, the parent company of the Predator spyware vendor Intellexa, show its main market as the Middle East, and an investigation by the Canadian non-profit CitizenLab found “likely Predator customers” in authoritarian states including Egypt and Saudi Arabia. 

The company is registered at a law firm in Balbriggan, Co Dublin. The application to incorporate the company was submitted in November 2019 by a company formation specialist.

Thalestris is part of a complex international web of companies either fully or partly controlled by the Israeli businessman Tal Dilian, a former senior commander in the Israel Defence Forces’ Unit 81. The secret technology division was once described by a former officer as being like “an intelligence toy factory”. 

Dilian’s military career was eventually derailed by an investigation into the misuse of public funds. The investigation ended a glittering 23-year stint that culminated in his being awarded the Israel Defence Prize in 1998. Dilian is also a Maltese (and therefor EU) citizen as of 2017, according to public records in Malta. How he acquired his citizenship is unknown, but Malta has a citizenship-for-investment programme, more commonly known as a “golden passport” scheme, that allows wealthy individuals to acquire citizenship in exchange for a minimum investment in the country.

Dilian’s companies are now the target of a European Parliament inquiry and of an investigation by Greek prosecutors. Dilian, who is identified on his own website and on that of Intellexa as the founder of the busines, is not named on the Irish company documents; however, Sara Hamou, Dilian’s partner according to property documents filed in Switzerland, is named as director. Hamou has also been described as Dilian’s second wife in news reports. 

Past members of Unit 81 have frequently gone on to multi-million dollar careers in the tech industry. A 2021 investigation by Calcalist, an Israeli business paper, found that approximately 100 veterans of the unit had founded 50 companies that were cumulatively worth over $10 billion. 

Dilian himself was the founder of one of those companies, Circles Technologies, a company later sold to the private equity firm Francisco Partners for $130 million and merged with another Francisco acquisition – the now-infamous NSO Group, the company that was implicated in the surveillance of the Saudi journalist Jamal Khashoggi by Saudi Arabia. Khashoggi was later murdered, with multiple investigations, including by the UN, concluding that the Saudi state was responsible for his assassination.

One of Thalestris’s subsidiaries is a company called Intellexa, also registered to the Balbriggan address. The company also has a corporate presence in Greece. Intellexa has been referred to as a “marketing alliance” and a “one-stop-shop” for cyber operations. Members of the alliance include Dilian’s WiSpear, Nexa Technologies in France, and another Israeli start-up called Senpai Technologies. 

“It’s so complex, and the whole trade in spyware is murky, dirty, and basically an underworld.”

Sophie in ’t Veld MEP

Questionable business dealings have frequently dogged alliance members. Senpai was identified in Israeli courts as acting on behalf of then Malaysian Prime Minister Najib Razak to spy on opposition parties. Razak was later jailed for corruption. Senior executives at Nexa Technologies, meanwhile, were indicted in France for selling surveillance technology to Libya and Egypt.

“It’s like a palace of mirrors,” said Sophie in ’t Veld, a Dutch MEP who is part of the ongoing European Parliament inquiry into spyware. “It’s so complex, and the whole trade in spyware is murky, dirty, and basically an underworld.”

It is through Intellexa, in 2018, that Dilian acquired control of the spyware Predator. The software was developed by a North Macedonian company called Cytrox, which, Dilian said, was “rescued” by Intellexa in a “sub-$5 million acquisition”. Dilian revealed this acquisition in an interview with Forbes in 2019. The published article, headlined ’Multimillionaire Spyware Dealer And His $9 Million WhatsApp Hacking Van,’ included a video in which Dilian showed off the surveillance capabilities of a “hacking van” Forbes said was powered by Cytrox technology.

Dilian’s surprising openness about this technology had immediate consequences, with Cypriot authorities launching an investigation into Dilian and his Cypriot-registered company WiSpear. It was only 12 days after this criminal investigation was publicly revealed, on November 15, 2019, that Thalestris and Intellexa were incorporated in Ireland. The case was concluded in February of this year, with Cypriot authorities fining WiSpear €76,000 for illegally hacking the communications of 626 private citizens with the van. The company had already been fined €925,000 for GDPR violations related to the van’s activities. 

The “spy van” incident, and in part the subsequent corporate move to Ireland, also led Dilian’s former business partner Avi Rubinstein to bring a suit against him early in 2021. Rubinstein alleged Dilian and a third partner, Oz Liv, acted illegally to dilute Rubinstein’s shares in a company called Aliada, which it alleged was the beneficial owner of the Intellexa suite of cyberweapons, “through a pyramid of companies set up overseas.”

Court records show the Irish company Thalestris was named as a defendant in the case. Aliada is registered in the British Virgin Islands, and company documents name Dilian as one of the directors. “Tal Dilian is clearly the central figure here,” In ’t Veld told The Currency.

Accounts for Thalestris show it sold around €20 million worth of software worldwide in 2020, with about €11 million being sold to clients in the Middle East. The CitizenLab investigation said it had found evidence of Predator customers Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia. 

“It’s hypocritical to come and say, ’How come you sold to Mexico?’ It’s legitimate. Why not? If the US approves sales to Mexico, the EU,” Dilian told Forbes. “We work with the good guys. And sometimes the good guys don’t behave.” 

Thalestris, technology and tax

Since its establishment in Dublin in November 2019, Thalestris has published accounts once, for the period ending on December 31, 2020. The filing consolidated figures for the company, its Irish subsidiary Intellexa Ltd and 10 other companies they own across Europe and the British Virgin Islands.

The accounts reveal that the company was not liable to pay any corporation tax because it was technically loss-making after using a number of fiscal provisions familiar to multinationals operating in Ireland.

Out of €20.8 million in revenue, the company reported a gross profit of €15.8 million, but this was wiped out by heavy tax-deductible costs. The largest was €13.2 million in “research and development expenses”. Thalestris directors reported that “The group is engaged in significant research and development activities in connection with carrying out its principal activities,” but with only six employees across all companies, it is unclear how it was able to spend all this money.

Similar structures used by multinationals typically direct payments for R&D to related companies outside Ireland under so-called cost-sharing agreements. When new intellectual property is developed, it is then acquired by the Irish company.

At least some of this structure is reflected in Thalestris, which reported the acquisition of €12.8 million worth of intellectual property. “The intellectual property was acquired on 20 July 2020 and had been amortised from this date until the period end. It has an estimated useful life of five years,” the company reported.

Under Ireland’s unique Capital Allowance for Intangible Assets (CAIA), such amortisation costs are entirely tax deductible as long as they don’t exceed 80 per cent of trading profits. Over five years, this means Thalestris can offset up to €2.6 million against its taxable profit each year. The company duly reported an initial €1.2 million amortisation charge for the period following its IP acquisition in July 2020.

Another €3.6 million was shaved off taxable income as the “cost of inventories recognised as expense”. The company reported: “Inventories are valued at the lower cost and net realisable value. Net realisable value includes, where necessary, provisions for slow moving and obsolete stocks.”

This means that products enter and exit stocks at different values – in this case, resulting in a lower taxable profit. “Calculation of these provisions requires judgements to be made, which include forecast consumer demand, the promotional, competitive and economic environment and inventory loss trends,” Thalestris’s accounts disclose.

This accounting trick is also familiar to some IP-heavy multinationals with a base in Ireland. It was, for example, used by Abbot Rapid Diagnositcs in the profit-shifting structure it has esatblished between Ireland and Malta.

Finally, Thalestris reported a €2.5 million once-off loss on “the disposal of an investment in SNP Technologies Limited to a third party. This investment was held by Intellexa Limited

(BVI)”. The Currency was unable to identify a company called SNP Technologies active in 2020.

After recording all these losses, Thalestris ended the year with a tax credit worth over €100,000.

– Thomas Hubert

When asked if any Irish government or law enforcement agencies had been approached by Thalestris or Intellexa, or if any agencies had availed of Intellexa’s services, the Department of Justice declined to elaborate.

“For sound operational and national security reasons it would not be appropriate to comment on the details of national security arrangements, nor would it be appropriate to disclose the department’s cyber security arrangements or those of state offices, agencies and bodies under the department’s remit,” a spokesman told The Currency.

It did not comment as regards whether Minister Helen McEntee had been made aware of Predator’s Irish links. An Garda Síochona declined to respond to any of the questions put to it regarding Thalestris, Dilian, and Predator.

“We can’t always rely on the cover-all of national security,” said Ruairí Ó Murchú, Sinn Féin’s communications spokesperson. “We need to be careful that we’re not dealing with those that sell products that facilitate actions that are profoundly anti-democratic. If there are companies selling these wares that are operating out of this state, there needs to be a significant degree of due diligence, and we need to know what interactions there have been between this state and those companies.”

It was the use of Predator against Greek journalist Thanasis Koukakis that brought it to high-level European attention. In a closed-door committee meeting held on July 29, Panagiotis Kontoleon, the head of Greece’s National Intelligence Service, conceded to Greek lawmakers that Koukakis, along with opposition leader Nikos Androulakis, was being spied on by his agency, two sources present at the meeting told Reuters.

The scandal around the surveillance later led to the resignation of Kontoleon and Grigoris Dimitriadis, the general secretary of the Greek prime minister’s office. Greek Prime Minister Kyriakos Mitsotakis denied knowledge of any hacking.

But Ioannis Vrailas, the Greek ambassador to the EU, denied Predator itself had been used in the surveillance in a letter to the EU justice directorate on August 2, saying that the National Intelligence Service “[had] not bought or ever used [Predator] or any other illegal surveillance system”. An investigation into the matter is ongoing.

The Greek scandal has put both Predator and Dilian himself on the radar of the European Parliament inquiry into the use of spyware. In ’t Veld, as part of her work with the inquiry, published a series of questions she has submitted to Dilian regarding the companies, including on its operations in other European countries.

“Are you sure you’re not being watched?” asked In ’t Veld. “The reality is you can’t be sure.”

*****

The use of spyware has developed into a major crisis. There has been a catalogue of serious incidents over the past 13 months; the hacking of Catalan independence politicians, the targeting of European Commission officials and journalists, lawyers and activists in France, Spain, Hungary, and Poland. But the story of Koukakis introduced new players; Dilian, Predator, and the Intellexa alliance. Until the revelations about Koukakis were made public, all of the previous hacking incidents could be traced back to the NSO Group. 

Ireland has yet to contend with a major spyware scandal of its own. In August 2021, Minister for Foreign Affairs Simon Coveney said during an Oireachtas Committee meeting his phone had been hacked, but later news reports said the alleged hack was criminal in nature. And while Ireland has been targeted in a major cyberattack – the ransomware attack on the HSE – there has been no signs yet of targeted attacks of the likes seen against Koukakis or against the Catalan independence movement. 

“It’s an incredibly dangerous world,” said Ó Murchú. “We definitely need a greater level of oversight, transparency and accountability… I accept that police forces will, at times, have to do particular things in relation to dealing with serious criminals, but we’ve seen the sort of instances in which [spyware] has been used, and by who it has been used, and that is deeply worrying.”

Ireland as a target

Ireland is a juicy target. It plays host to the European headquarters of some of the world’s most valuable hi-tech multinationals, with regular interactions between our government and senior executives of these companies. The country has an outsized role in global telecommunications, being a hub of both major data centres and of the subsea cables used to power the internet. And Ireland is also a haven of financial secrets, used to secret away billions in foreign wealth.

But, despite this, Irish cybersecurity infrastructure is seen as relatively weak, particularly for a developed hi-tech economy. In the Global Cybersecurity Index 2020, a review of state cybersecurity published by the UN’s telecommunications agency, Ireland ranked 46th, making it one of the lowest ranked countries in the EU and ranking it behind countries like Nigeria, Thailand, Indonesia and Vietnam. A 2021 study by the International Information System Security Certification Consortium, meanwhile, estimated that Ireland needed at least 10,000 extra cybersecurity professionals to make up the shortfall in the labour market. Cyber Ireland, an Irish industry body, cited this shortfall as a key vulnerability as regards data breaches.

Ireland has recently taken steps to strengthen its cyber-resilience, such as signing up to the Microsoft Government Security Program earlier this year and committing, in July, to “significantly strengthen” the cyber-defence capabilities of the Defence Forces as part of a wide-ranging shake-up spurred in part by Russia’s invasion of Ukraine. (When asked about Thalestris and its corporate presence here in Ireland, the Defence Forces declined to comment.) The National Cyber Security Centre, which was formed in 2015, was also beefed up last year with the addition of 20 new roles and the creation of a dedicated new headquarters in Beggars Bush, Dublin. (When asked to comment for this piece, the National Cyber Security Centre said it “does not comment on operational issues for reasons of national security”.)

It’s unknown whether or not the state is itself using spyware. The Department of Justice did not answer that question for this article, but reporting by Bloomberg earlier this year raised the possibility that Ireland had purchased the details of a so-called “zero-click exploit” – a vulnerability that allows a device to be hacked even without a user-end action – from a company called Arity Business Inc. The claim that Ireland had done so was made by Arity executive Alex Prokopenko.

“It’s not just authoritarians that are abusing these tools, but also democratic states, and states in Europe,” Donncha Ó Cearbhaill, a spyware expert with Amnesty International, told The Currency. “So far we haven’t seen enough transparency from states about what companies in the EU are exporting these tools, or transparency about what states are buying them.”

“Time and time again, we’ve seen how these tools have been abused by states to target civil society, journalists, activists and political opposition,” Ó Cearbhail said. “So it’s clear the current system of regulation isn’t fit for purpose.”

Dilian, Hamou and company

One of the key figures in Dilian’s efforts to keep at arm’s length from his companies is Sara Hamou. The current status of her personal relationship with Dilian is unknown, though extensive business links remain between the pair, and Dilian continues to engage with Hamou on LinkedIn, liking one of her posts as recently as two months ago. 

Dilian is both the trademark holder and an investor in Medovie, the London-based skincare company where Hamou is listed as co-founder. Hamou’s brother, Shadi, is still listed as an employee of Intellexa on LinkedIn, indicating the ties between the pair still run deep.

Hamou’s career in skincare is a recent departure. Her background is that of a highly experienced corporate lawyer and tax adviser – the perfect person to act as a director and corporate guide to Dilian in how to navigate the EU in what could be called a tax-efficient way. As well as acting as director for three of the Irish companies connected to Dilian – Thalestris, Intellexa and the recently dissolved Manufuture – Hamou acts as director for Yomali Labs Limited, the Irish offshoot of the Yomali Group, an e-commerce software provider. 

Yomali’s move into the Irish market in 2021 with the announcement of 40 new jobs generated some positive spin from the Government. “I’m really happy Yomali has chosen Ireland as the location for its new HQ, which will see the creation of 40 new highly skilled jobs over the next three years,” said Tánaiste Leo Varadkar. “I hope they continue to build on their excellent relationship with Ireland in the period ahead.” Aside from Hamou’s directorship, there is no indication of any other connections between Yomali and Dilian’s web of companies.

Hamou’s background has as many unanswered questions as Dilian’s. Her nationality on company documents is given as Polish, though she appears to have spent much of her childhood in Cyprus, She told the website Just Entrepreneurs that she “grew up in a Middle Eastern environment”. Her Facebook profile also hints at that heritage, with many of Hamou’s friends hailing from Lebanon. 

Much of her career was spent working in the corporate law sector in Cyprus, but Hamou now calls London home. Her connection to the UK goes back to her childhood; both she and her brother Shadi studied at Foley’s, a British school in Limassol that follows the British national curriculum.

Hamou initially answered The Currency’s phone call to her Cyprus number, but she requested a call back, and has since failed to pick up. Questions sent to the same number via WhatsApp remain unanswered.

She too stands to profit from its success; Thalestris accounts show she holds a six per cent shareholding in the company.

“How long will Europol wait until it will call a member state and ask for an investigation to be launched?”

Dragos Tudorache MEP

In recent weeks, lawmakers held two spyware hearings, and In ’t Veld took the opportunity to press Europol for an EU-wide investigation. “They have the power to independently propose their own investigations since May,” In ’t Veld told me. The legislation does give Europol the power to press member states to investigate crimes, but Europol deputy director Jean-Philippe Lecouffe told the spyware inquiry that it was unable to act, putting the ball firmly in the courts of the member states. 

“We have the Commission already confirming that there are infected phones of Commission officials, we have European politicians who are confirmed to be subjected to infected phones,” said Renew MEP Dragos Tudorache. “How long will Europol wait until it will call a member state and ask for an investigation to be launched?”

By the time the European Parliament ceases its inquiry, the pressure to launch a bloc-wide criminal investigation may become too intense to ignore. If such an investigation does take place, Ireland’s role as a corporate enabler for Dilian and his companies will come under scrutiny.  

The clandestine world of spyware and its providers is, as In ’t Veld said, a murky place. One thing, however, is clear – the damage it can do to those who are targeted.

At the European Parliament spyware hearing, one of those victims, Carine Kanimba, the daughter of the wrongfully imprisoned Rwandan activist Paul Rusesabagina, was given an opportunity to speak. “I’m frightened by what the Rwandan government could do to me and my family,” said Kanimba. “It keeps me awake at night that they knew everything I was doing, where I was, who I was speaking to, my private thoughts and actions, and they could know that any time they wanted to. Unless there are consequences for countries and their enablers who abuse this technology to hurt innocent people, none of us are safe.”